ADLS Gen2 Storage RBAC for user from differnt AAD tenant

Guru V 41 Reputation points
2022-03-08T00:27:02.973+00:00

HI,
I have a service which is used by users from different AAD tenant like user1@a.onmicorosoft.com and user2@b.onmicrosoft.com.
my blob storage is in my app AAD tenant.
I want to assign permissions to users from different AAD tenant(to their specific folder), on my storage account to access file.
What is the recommended approach for this.

Data for 1 user should not be accessible by user from another AAD tenant.

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,379 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,504 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
689 questions
0 comments No comments
{count} votes

Accepted answer
  1. KranthiPakala-MSFT 46,427 Reputation points Microsoft Employee
    2022-03-08T23:17:05.607+00:00

    Hello @Guru V ,

    Thanks for the question and using MS Q&A platform.

    As I understand the ask here is that you want to know how to assign permissions to users from different tenant to a specific folder on your storage account to access the files.

    If the users and you are in different tenant, then you need to invite as a Guest and add ACL's permissions to the respective storage account folders.
    Here is another Q&A thread where a similar topic has been discussed - Is cross tenant blob access possible in azure?

    ACLs give you the ability to apply "finer grain" level of access to directories and files. An ACL is a permission construct that contains a series of ACL entries. Each ACL entry associates security principal with an access level. To learn more, see: Access control lists (ACLs) in Azure Data Lake Storage Gen2.

    In your case you don't have to give any RBAC's. A RBAC permission set can give a security principal a "coarse-grain" level of access such as read or write access to all of the data in a storage account or all of the data in a container.

    Azure role assignments (RBACs) are evaluated first and take priority over any ACL assignments. If the operation is fully authorized based on Azure role assignment, then ACLs are not evaluated at all. That's because the system evaluates Azure role assignments first, and if the assignment grants sufficient access permission, ACLs are ignored. If the operation is not fully authorized, then ACLs are evaluated.

    181222-image.png

    The following diagram shows the permission flow for three common operations: listing directory contents, reading a file, and writing a file.

    181174-image.png

    Here is a detailed explanation of how ACLs and RBACS are evaluated: Permissions table: Combining Azure RBAC and ACL

    Hope this will help. Please let us know if any further queries.

    ------------------------------

    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    0 comments No comments

0 additional answers

Sort by: Most helpful